In this tutorial I will show you how to setup Microsoft Intune for iOS/iPadOS. In short we will make sure that devices can be configured and secured to your standards. Let’s jump right in and setup Microsoft Intune.
For this post I will be solely focussing on manual enrollment. In addition to that, I will provide some information about the Automatic Device Enrollment from Apple.
Configure Microsoft Intune for iOS/iPadOS
Grant access to Microsoft to transfer information to Apple.
Download the Intune certificate signing request (CSR). We need that to create a new Apple Push Certificate.
Now it is time to let Apple generate a new Apple MDM push certificate for us. This certificate will give you the ability to manage iOS/iPadOS devices.
You need to have an Apple ID. This can be a personal or business account. For production environments, it is best practise to use a company mail address.
Click on the button to start the process or click the link in the Endpoint Manager portal.
Apple Push Certificates are valid for one year. Therefore you will have to renew this certificate in time. You must use the same Apple ID where you initially created the certificate from.
Grab the CSR file from Microsoft Endpoint Manager. Upload it into the portal.
Download the certificate on the confirmation page. Please make note of the expiration date and renew the certificate in time.
Go back to the Endpoint Manager portal. Enter the Apple ID that you have used to create the new certificate.
Upload the certificate and click Upload.
Microsoft Intune is now ready to enroll iOS/iPadOS devices. Download the Company Portal on a test device to verify the configuration. Do this before anything else to make sure that the configuration works.
Manual Device Enrollment
Users are able to enroll their device with the Company Portal that can be downloaded from the App Store. Meaning that every user can start right away. The app is the central place for applications and will make sure that the device is synchronised with Intune.
To enroll a device follow the steps below.
Download the Intune Company Portal app from the App Store. Open the app and sign in with your Azure Active Directory credentials.
The app will now display the steps for the user to complete. Because privacy on a private device is such a huge topic, the app shows you what Microsoft Intune cannot read or do on the device.
Error: Couldn’t add your device
This means that your Microsoft Intune environment is not fully setup for iOS/iPadOS enrollment. Make sure that you have completed the above steps described in this post.
Allow the policy download and install the profile on the device. As a result, Microsoft Intune is capable of configuring the device.
The device is now fully setup and the Company Portal will report that everything is set. After that we can access the application store and manage the device details from the app. But deleting the app won’t do any difference, since the management profile will always be present.
In conclusion of the above steps, this is how you setup a device within Microsoft Intune. The device is now fully managed and is ready to be configured with settings and apps.
Device details in Endpoint Manager
First of all we will take a look on how a device is shown in the portal. Secondly, we will check some details about the device and where you can find how it is enrolled.
Open the Endpoint Manager portal and go to Devices. After that, click on iOS/iPadOS. You will be presented with a similar overview for Windows devices.
Next, we click on the device. It takes while for device to appear in the list. The portal presents us with the overview of hardware information and installed apps. The ownership in this case is Personal. In other words, the device is privately owned and enrolled by the user.
Automatic Device Enrollment
Managed Apple ID is required
You must have a managed Apple ID for Automatic Device Enrollment. Visit this link to check the requirements.
Since iOS 13 a lot of things changed for Mobile Device Management. From now User Enrollment mode is available which is a Bring Your Own Device (BYOD) model. This feature is now in preview in Microsoft Intune.
Users can enroll their personal devices just fine as long as they are willing to get compliant. Click the button below for a full list of support capabilities,.
To sum it all up: It is not complicated to setup Microsoft Intune for iOS/iPadOS devices. Create and renew an Apple Push Certificate in time. The Company Portal provides access to resources and syncs information from and to Microsoft Intune. Personal devices are enrolled with just a few taps. However, automatic enrollment with company owned devices is a bit more complicated. It involves Automatic Device Enrollment from Apple and Apple Business Manager.